Dropbox Tries To Kill Off Open Source Project With DMCA Takedown

from the copyright-as-censorship dept

Teck points us to the troubling news of Dropbox seeking to kill off an open source project through questionable means, involving DMCA notices. As you may have heard, Dropbox got into a bit of a security/privacy kerfuffle lately after some researchers questioned the news that it uses a hash function to deduplicate files on its servers. If you don't know, Dropbox is a cloud storage system that's pretty useful. However, one of the ways it attempted to save some costs was that if you sought to upload a file that was identical to a file on someone else's shared server, it wouldn't actually "upload" your file, but just point you to the single file. There were clear security and privacy questions about this.

Of course, some noted that it could also represent an "opportunity" of sorts, and out of that came a project called Dropship -- which used a little hack to use this deduping tech to make Dropbox think you were trying to upload specific content that you might not actually have, and then the actual file (if already stored in someone else's Dropbox) would automatically appear in yours as well. Obviously, one key use of such a technology would be to make unauthorized copies of music and movies. Dropbox, for obvious reasons, didn't like that aspect, but its response to this was pretty troubling: it focused on censoring information about Dropship.

Dropbox's CTO and cofounder, Arash Ferdowsi, did not like Dropship. His reaction was swift. According to the project’s creator, Wladimir van der Laan, Ferdowsi contacted him soon after and requested "in a really civil way" that he take the project off of github. van der Laan complied.

Others quickly mirrored the project (some in their own Dropboxes) and Dropbox contacted all of them in a that same "civil way," asking each to remove the content... but in at least one case, with Dan DeFelippi, they sent a DMCA takedown, despite not being the legitimate copyright holder (a violation of the DMCA process). When confronted on this, Dropbox backed down and claimed that the DMCA notice (and subsequent limits on the guy's account) were really a mistake, but, along with admitting that, Dropbox was still asking the guy to remove all info about Dropship:

Soon after Ferdowsi contacted me directly, sending what I now assume is the same “really civil” request he sent to others. He requested that I not only remove the archive from Dropbox but delete my posts on Hacker News, which at that point included the fake DMCA takedown. He outlined his objections, that Dropship reveals their proprietary client-server protocol and that it could be used for piracy. He told me that the DMCA takedown was a mistake and reverted the lockdown on my public files.

First of all, attempting to protect a proprietary protocol is going to get them nowhere. His argument implied security by obscurity. Security by obscurity falls completely flat on its face in this case since their client can be analyzed by anyone with the proper skills and could be deciphered again.

Second, dealing with piracy is the responsibility of Dropbox. It’s not the problem of an innocent hacker who wrote some useful code that could benefit legitimate users and advocates the use of his software for “sharing photos, videos, public datasets, git-like source control, or even as building block for wiki-like distributed databases.”

While it's good that Dropbox has been mostly civil on this, resorting to a DMCA takedown, even as a mistake, is problematic. Of course, you can't totally blame Dropbox here. As we've seen, copyright maximalists in industry and in government seem quite eager to blame tech companies if their tech might possibly be used for unauthorized access. While the law is almost certainly on Dropbox's side that it has no liability for Dropship, that wouldn't necessarily prevent them from getting hit with an annoying lawsuit. It's really an unfortunate sign of the copyright times.

Of course, the end result is also likely to be exactly the opposite of what those maximialists hope. While DeFelippi notes that Dropbox has been successful in getting many of these mirrors taken down, some are still up (including his) and the whole attempt to censor the project is only going to call that much more attention to it in the long run. I think there's a name for that phenomenon...